No More Free Bugs: ~10 Years Later
It’s been several years since the “No More Free Bugs” movement started to gain traction, but now it seems as almost everyone has some form of bug bounty for researchers. This presentation will go over the motivations of certain researchers to stop giving away their work for free and demand satisfaction (well, as close to satisfaction as one can get).
How Many Million BIOSes Would You Like to Infect?
So you think you’re doing OPSEC right, right? You’re going to crazy
lengths to protect yourself, reinstalling your main OS every month, or
using a privacy-conscious live OS like Tails. Guess what? BIOS malware
doesn’t care! BIOS malware doesn’t give a shit!"
Though long thought to be impractical, this talk will dispel the illusion
that sophisticated BIOS level malware is exclusively within the realm of
possibility for nation state actors. Recent disclosures of firmware
level vulnerabilities have given us reliable entry vectors into the
firmware on almost all systems we have surveyed. Furthermore, the well
defined nature and modularity of UEFI significantly lower the bar for
coherently implanting a firmware rootkit onto a system. This talk will
detail the result of our 1 month effort to infect the BIOS of every
business class system we could get our hands on.
Picking Fights with Toddlers: Embedded Device & IoT Exploitation
There is a latent distrust of the growing "Internet Of Things" market. The data collected by them is becoming more personal all while proliferation of internet connected devices is continuing without regard to privacy or security. Recent news stories has consumers concerned not only with privacy but also surveillance and data handling. There is no trusted third-party "consumer advocacy" for privacy and security of mobile apps and embedded systems. The designs of these systems make traditional software based security (like "anti-virus" or "end-point detection") virtually impossible. And if you don't think this is going to be a huge problem: Recent research demonstrates that a significant number of the nodes used in CURRENT DDoS attacks are actually compromised embedded devices NOT user end-points....So, the shift has already begun.The "internet of things" is not just newfangled consumer devices however. I'll talk a bit about this and a recurring trend we see in these network enabled embedded systems: something we call the "uncanny valley" that gives rise no only to vulnerabilities but also huge tools gaps for software and hardware security research.
This talk will catalog some of our experiences at Xipiter exploiting these kinds of embedded systems. From trivial "exploitation" to the more advanced hardware exploitation and binary exploitation techniques. We'll talk about how we've applied these techniques to everything from Payment systems and Game Consoles to more esoteric devices like Gaming systems (lottery, casino, etc) and Industrial Controls Systems. We'll also talk about about the custom hardware we've developed (and sell to researchers at http://int3.cc) to help us with this stuff also demonstrates the "tools gap".
Back to the Kitchen: DLP Security Bakeoff, THE SEQUEL
As we all know, computer security products are completely
infallible and, themselves, totally secure. Furthermore, Data Loss
Prevention (DLP) solutions are, hands down, the panacea for all data
leakage woes. But, we decided to pretend for a minute that they weren't,
AND YOU WON'T BELIEVE WHAT HAPPENED NEXT!
Despite a plethora of data security and protection standards and
certifications, companies and their systems are still leaking information
like a sieve. With deployment models ranging from a fat agent on an
endpoint, to a blinky-lights box surveilling all network traffic, to some
unified threat management gateway with DLP secret sauce, these solutions
are ripe for bypass - or worse.
This talk will discuss our previous and current research into a handful of
DLP solutions, including their capabilities and their shortcomings. We will
demonstrate flaws in administrative and programmatic interfaces and the
inspection engines themselves. Additionally, we will revisit the tools and
techniques we used to discover these issues.
OR'LYEH? The Shadow over Firefox
The Mozilla Firefox browser has a new garbage collection (GC)
has introduced significant changes to the way that Firefox's heap is
The GC heap is now divided into two layers; a first layer for short-lived
objects, called the 'nursery', and a second layer for objects that survived
a GC pass in the nursery, called the 'tenured' heap. Apart from these two,
latest version of Firefox continues to use jemalloc (on all its supported
for SpiderMonkey metadata and GC heap objects that fit certain criteria.
changes directly affect the way that the browser's heap can be manipulated
states that aid in the exploitation of heap vulnerabilities.
In this talk we will expand upon previous work we have published on
exploitation approaches and primitives for Firefox, taking into account its
GC heap implementation. The presentation will demonstrate a major upgrade
'unmask_jemalloc' Firefox heap exploration utility with new features, and
for Windows (and the WinDbg debugger). The new version of unmask_jemalloc,
'shadow', will be released as open source along with the talk.
You ain't executing this! Exploring Windows Security with Runtime Code Stripping and Process Freezing
Fighting off attacks based on memory corruption vulnerabilities is hard
and a lot of research was and is conducted in this area. In our recent
work we take a different approach and looked into breaking the payload
of an attack. Current attacks assume that they have access to every
piece of code and the entire platform API. In this talk we present a
novel defensive strategy that targets this assumption. We built a system
that removes unused code from an application process to prevent attacks
from using code and APIs that would otherwise be present in the process
memory but normally are not used by the actual application. Our system
is only active during process creation time, and, therefore, incurs no
runtime overhead and thus no performance degradation. Our system does
not modify any executable files or shared libraries as all actions are
executed in memory only. We implemented our system for Windows 8.1 and
tested it on real world applications. Besides presenting our system we
also show the results of our investigation into code overhead present in
Render unto the Heap that which is the Voodoos
Over the past 15 years, security researchers have created specific heap exploitation techniques targeting well identified allocators and developed tools to inspect, visualize, force and sometimes predict layout of dynamically allocated memory regions. Nonetheless, the diversity of Heap Allocators makes it hard for exploit writers to come up with generic heap prediction techniques. Among the various most used allocators are DLmalloc, PTmalloc, JEmalloc, the Windows Heap, as well as several flavors of Garbage collected memory allocators in web browsers. Internals of these allocators differ so vastly that coming up with generic tools to predict the dynamic behavior of these different implementations is currently out of reach. This talk aims at surveying the existing work in the field of heap analysis and attempt to introduce a systematic methodology to analyze dynamic behavior of allocators for the exploit writer.
An Examination of Infusion Pump Technology
Infusion pumps are medical devices that deliver drugs into a patient's body in controlled, prescribed amounts. These devices are instrumental in the delivery of patient care in hospitals across the world. How do these devices work? What do these devices look like under the hood? Are there vulnerabilities that could be leveraged to hurt or kill a patient? Let's take a look at a number of infusion pumps and explore the architecture, protocols, and vulnerabilities associated with these pumps. We'll also cover key aspects of vulnerability research in the medical device industry.